--- /dev/null
+From eac27a41ab641de074655d2932fc7f8cdb446881 Mon Sep 17 00:00:00 2001
+From: Remi Pommarel <repk@triplefau.lt>
+Date: Fri, 28 Jul 2023 15:38:50 +0200
+Subject: batman-adv: Do not get eth header before batadv_check_management_packet
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+commit eac27a41ab641de074655d2932fc7f8cdb446881 upstream.
+
+If received skb in batadv_v_elp_packet_recv or batadv_v_ogm_packet_recv
+is either cloned or non linearized then its data buffer will be
+reallocated by batadv_check_management_packet when skb_cow or
+skb_linearize get called. Thus geting ethernet header address inside
+skb data buffer before batadv_check_management_packet had any chance to
+reallocate it could lead to the following kernel panic:
+
+ Unable to handle kernel paging request at virtual address ffffff8020ab069a
+ Mem abort info:
+ ESR = 0x96000007
+ EC = 0x25: DABT (current EL), IL = 32 bits
+ SET = 0, FnV = 0
+ EA = 0, S1PTW = 0
+ FSC = 0x07: level 3 translation fault
+ Data abort info:
+ ISV = 0, ISS = 0x00000007
+ CM = 0, WnR = 0
+ swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000040f45000
+ [ffffff8020ab069a] pgd=180000007fffa003, p4d=180000007fffa003, pud=180000007fffa003, pmd=180000007fefe003, pte=0068000020ab0706
+ Internal error: Oops: 96000007 [#1] SMP
+ Modules linked in: ahci_mvebu libahci_platform libahci dvb_usb_af9035 dvb_usb_dib0700 dib0070 dib7000m dibx000_common ath11k_pci ath10k_pci ath10k_core mwl8k_new nf_nat_sip nf_conntrack_sip xhci_plat_hcd xhci_hcd nf_nat_pptp nf_conntrack_pptp at24 sbsa_gwdt
+ CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.15.42-00066-g3242268d425c-dirty #550
+ Hardware name: A8k (DT)
+ pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
+ pc : batadv_is_my_mac+0x60/0xc0
+ lr : batadv_v_ogm_packet_recv+0x98/0x5d0
+ sp : ffffff8000183820
+ x29: ffffff8000183820 x28: 0000000000000001 x27: ffffff8014f9af00
+ x26: 0000000000000000 x25: 0000000000000543 x24: 0000000000000003
+ x23: ffffff8020ab0580 x22: 0000000000000110 x21: ffffff80168ae880
+ x20: 0000000000000000 x19: ffffff800b561000 x18: 0000000000000000
+ x17: 0000000000000000 x16: 0000000000000000 x15: 00dc098924ae0032
+ x14: 0f0405433e0054b0 x13: ffffffff00000080 x12: 0000004000000001
+ x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
+ x8 : 0000000000000000 x7 : ffffffc076dae000 x6 : ffffff8000183700
+ x5 : ffffffc00955e698 x4 : ffffff80168ae000 x3 : ffffff80059cf000
+ x2 : ffffff800b561000 x1 : ffffff8020ab0696 x0 : ffffff80168ae880
+ Call trace:
+ batadv_is_my_mac+0x60/0xc0
+ batadv_v_ogm_packet_recv+0x98/0x5d0
+ batadv_batman_skb_recv+0x1b8/0x244
+ __netif_receive_skb_core.isra.0+0x440/0xc74
+ __netif_receive_skb_one_core+0x14/0x20
+ netif_receive_skb+0x68/0x140
+ br_pass_frame_up+0x70/0x80
+ br_handle_frame_finish+0x108/0x284
+ br_handle_frame+0x190/0x250
+ __netif_receive_skb_core.isra.0+0x240/0xc74
+ __netif_receive_skb_list_core+0x6c/0x90
+ netif_receive_skb_list_internal+0x1f4/0x310
+ napi_complete_done+0x64/0x1d0
+ gro_cell_poll+0x7c/0xa0
+ __napi_poll+0x34/0x174
+ net_rx_action+0xf8/0x2a0
+ _stext+0x12c/0x2ac
+ run_ksoftirqd+0x4c/0x7c
+ smpboot_thread_fn+0x120/0x210
+ kthread+0x140/0x150
+ ret_from_fork+0x10/0x20
+ Code: f9403844 eb03009f 54fffee1 f94
+
+Thus ethernet header address should only be fetched after
+batadv_check_management_packet has been called.
+
+Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure")
+Cc: stable@vger.kernel.org
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 3 ++-
+ net/batman-adv/bat_v_ogm.c | 3 ++-
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -513,7 +513,7 @@ int batadv_v_elp_packet_recv(struct sk_b
+ struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
+ struct batadv_elp_packet *elp_packet;
+ struct batadv_hard_iface *primary_if;
+- struct ethhdr *ethhdr = (struct ethhdr *)skb_mac_header(skb);
++ struct ethhdr *ethhdr;
+ bool res;
+ int ret = NET_RX_DROP;
+
+@@ -521,6 +521,7 @@ int batadv_v_elp_packet_recv(struct sk_b
+ if (!res)
+ goto free_skb;
+
++ ethhdr = eth_hdr(skb);
+ if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
+ goto free_skb;
+
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -832,7 +832,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
+ {
+ struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
+ struct batadv_ogm2_packet *ogm_packet;
+- struct ethhdr *ethhdr = eth_hdr(skb);
++ struct ethhdr *ethhdr;
+ int ogm_offset;
+ u8 *packet_pos;
+ int ret = NET_RX_DROP;
+@@ -846,6 +846,7 @@ int batadv_v_ogm_packet_recv(struct sk_b
+ if (!batadv_check_management_packet(skb, if_incoming, BATADV_OGM2_HLEN))
+ goto free_skb;
+
++ ethhdr = eth_hdr(skb);
+ if (batadv_is_my_mac(bat_priv, ethhdr->h_source))
+ goto free_skb;
+
--- /dev/null
+From d8e42a2b0addf238be8b3b37dcd9795a5c1be459 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 19 Jul 2023 10:01:15 +0200
+Subject: batman-adv: Don't increase MTU when set by user
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit d8e42a2b0addf238be8b3b37dcd9795a5c1be459 upstream.
+
+If the user set an MTU value, it usually means that there are special
+requirements for the MTU. But if an interface gots activated, the MTU was
+always recalculated and then the user set value was overwritten.
+
+The only reason why this user set value has to be overwritten, is when the
+MTU has to be decreased because batman-adv is not able to transfer packets
+with the user specified size.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/hard-interface.c | 14 +++++++++++++-
+ net/batman-adv/soft-interface.c | 3 +++
+ net/batman-adv/types.h | 6 ++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -643,7 +643,19 @@ out:
+ */
+ void batadv_update_min_mtu(struct net_device *soft_iface)
+ {
+- dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface));
++ struct batadv_priv *bat_priv = netdev_priv(soft_iface);
++ int limit_mtu;
++ int mtu;
++
++ mtu = batadv_hardif_min_mtu(soft_iface);
++
++ if (bat_priv->mtu_set_by_user)
++ limit_mtu = bat_priv->mtu_set_by_user;
++ else
++ limit_mtu = ETH_DATA_LEN;
++
++ mtu = min(mtu, limit_mtu);
++ dev_set_mtu(soft_iface, mtu);
+
+ /* Check if the local translate table should be cleaned up to match a
+ * new (and smaller) MTU.
+--- a/net/batman-adv/soft-interface.c
++++ b/net/batman-adv/soft-interface.c
+@@ -167,11 +167,14 @@ static int batadv_interface_set_mac_addr
+
+ static int batadv_interface_change_mtu(struct net_device *dev, int new_mtu)
+ {
++ struct batadv_priv *bat_priv = netdev_priv(dev);
++
+ /* check ranges */
+ if (new_mtu < 68 || new_mtu > batadv_hardif_min_mtu(dev))
+ return -EINVAL;
+
+ dev->mtu = new_mtu;
++ bat_priv->mtu_set_by_user = new_mtu;
+
+ return 0;
+ }
+--- a/net/batman-adv/types.h
++++ b/net/batman-adv/types.h
+@@ -1515,6 +1515,12 @@ struct batadv_priv {
+ struct net_device *soft_iface;
+
+ /**
++ * @mtu_set_by_user: MTU was set once by user
++ * protected by rtnl_lock
++ */
++ int mtu_set_by_user;
++
++ /**
+ * @bat_counters: mesh internal traffic statistic counters (see
+ * batadv_counters)
+ */
--- /dev/null
+From 421d467dc2d483175bad4fb76a31b9e5a3d744cf Mon Sep 17 00:00:00 2001
+From: Remi Pommarel <repk@triplefau.lt>
+Date: Wed, 9 Aug 2023 17:29:13 +0200
+Subject: batman-adv: Fix batadv_v_ogm_aggr_send memory leak
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+commit 421d467dc2d483175bad4fb76a31b9e5a3d744cf upstream.
+
+When batadv_v_ogm_aggr_send is called for an inactive interface, the skb
+is silently dropped by batadv_v_ogm_send_to_if() but never freed causing
+the following memory leak:
+
+ unreferenced object 0xffff00000c164800 (size 512):
+ comm "kworker/u8:1", pid 2648, jiffies 4295122303 (age 97.656s)
+ hex dump (first 32 bytes):
+ 00 80 af 09 00 00 ff ff e1 09 00 00 75 01 60 83 ............u.`.
+ 1f 00 00 00 b8 00 00 00 15 00 05 00 da e3 d3 64 ...............d
+ backtrace:
+ [<0000000007ad20f6>] __kmalloc_track_caller+0x1a8/0x310
+ [<00000000d1029e55>] kmalloc_reserve.constprop.0+0x70/0x13c
+ [<000000008b9d4183>] __alloc_skb+0xec/0x1fc
+ [<00000000c7af5051>] __netdev_alloc_skb+0x48/0x23c
+ [<00000000642ee5f5>] batadv_v_ogm_aggr_send+0x50/0x36c
+ [<0000000088660bd7>] batadv_v_ogm_aggr_work+0x24/0x40
+ [<0000000042fc2606>] process_one_work+0x3b0/0x610
+ [<000000002f2a0b1c>] worker_thread+0xa0/0x690
+ [<0000000059fae5d4>] kthread+0x1fc/0x210
+ [<000000000c587d3a>] ret_from_fork+0x10/0x20
+
+Free the skb in that case to fix this leak.
+
+Cc: stable@vger.kernel.org
+Fixes: 0da0035942d4 ("batman-adv: OGMv2 - add basic infrastructure")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_ogm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_v_ogm.c
++++ b/net/batman-adv/bat_v_ogm.c
+@@ -119,8 +119,10 @@ static void batadv_v_ogm_send_to_if(stru
+ {
+ struct batadv_priv *bat_priv = netdev_priv(hard_iface->soft_iface);
+
+- if (hard_iface->if_status != BATADV_IF_ACTIVE)
++ if (hard_iface->if_status != BATADV_IF_ACTIVE) {
++ kfree_skb(skb);
+ return;
++ }
+
+ batadv_inc_counter(bat_priv, BATADV_CNT_MGMT_TX);
+ batadv_add_counter(bat_priv, BATADV_CNT_MGMT_TX_BYTES,
--- /dev/null
+From d25ddb7e788d34cf27ff1738d11a87cb4b67d446 Mon Sep 17 00:00:00 2001
+From: Remi Pommarel <repk@triplefau.lt>
+Date: Fri, 4 Aug 2023 11:39:36 +0200
+Subject: batman-adv: Fix TT global entry leak when client roamed back
+
+From: Remi Pommarel <repk@triplefau.lt>
+
+commit d25ddb7e788d34cf27ff1738d11a87cb4b67d446 upstream.
+
+When a client roamed back to a node before it got time to destroy the
+pending local entry (i.e. within the same originator interval) the old
+global one is directly removed from hash table and left as such.
+
+But because this entry had an extra reference taken at lookup (i.e using
+batadv_tt_global_hash_find) there is no way its memory will be reclaimed
+at any time causing the following memory leak:
+
+ unreferenced object 0xffff0000073c8000 (size 18560):
+ comm "softirq", pid 0, jiffies 4294907738 (age 228.644s)
+ hex dump (first 32 bytes):
+ 06 31 ac 12 c7 7a 05 00 01 00 00 00 00 00 00 00 .1...z..........
+ 2c ad be 08 00 80 ff ff 6c b6 be 08 00 80 ff ff ,.......l.......
+ backtrace:
+ [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300
+ [<000000000ff2fdbc>] batadv_tt_global_add+0x700/0xe20
+ [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790
+ [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110
+ [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10
+ [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0
+ [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4
+ [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0
+ [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90
+ [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74
+ [<000000000f39a009>] __netif_receive_skb+0x48/0xe0
+ [<00000000f2cd8888>] process_backlog+0x174/0x344
+ [<00000000507d6564>] __napi_poll+0x58/0x1f4
+ [<00000000b64ef9eb>] net_rx_action+0x504/0x590
+ [<00000000056fa5e4>] _stext+0x1b8/0x418
+ [<00000000878879d6>] run_ksoftirqd+0x74/0xa4
+ unreferenced object 0xffff00000bae1a80 (size 56):
+ comm "softirq", pid 0, jiffies 4294910888 (age 216.092s)
+ hex dump (first 32 bytes):
+ 00 78 b1 0b 00 00 ff ff 0d 50 00 00 00 00 00 00 .x.......P......
+ 00 00 00 00 00 00 00 00 50 c8 3c 07 00 00 ff ff ........P.<.....
+ backtrace:
+ [<00000000ee6e0ffa>] kmem_cache_alloc+0x1b4/0x300
+ [<00000000d9aaa49e>] batadv_tt_global_add+0x53c/0xe20
+ [<00000000443897c7>] _batadv_tt_update_changes+0x21c/0x790
+ [<000000005dd90463>] batadv_tt_update_changes+0x3c/0x110
+ [<00000000a2d7fc57>] batadv_tt_tvlv_unicast_handler_v1+0xafc/0xe10
+ [<0000000011793f2a>] batadv_tvlv_containers_process+0x168/0x2b0
+ [<00000000b7cbe2ef>] batadv_recv_unicast_tvlv+0xec/0x1f4
+ [<0000000042aef1d8>] batadv_batman_skb_recv+0x25c/0x3a0
+ [<00000000bbd8b0a2>] __netif_receive_skb_core.isra.0+0x7a8/0xe90
+ [<000000004033d428>] __netif_receive_skb_one_core+0x64/0x74
+ [<000000000f39a009>] __netif_receive_skb+0x48/0xe0
+ [<00000000f2cd8888>] process_backlog+0x174/0x344
+ [<00000000507d6564>] __napi_poll+0x58/0x1f4
+ [<00000000b64ef9eb>] net_rx_action+0x504/0x590
+ [<00000000056fa5e4>] _stext+0x1b8/0x418
+ [<00000000878879d6>] run_ksoftirqd+0x74/0xa4
+
+Releasing the extra reference from batadv_tt_global_hash_find even at
+roam back when batadv_tt_global_free is called fixes this memory leak.
+
+Cc: stable@vger.kernel.org
+Fixes: 068ee6e204e1 ("batman-adv: roaming handling mechanism redesign")
+Signed-off-by: Remi Pommarel <repk@triplefau.lt>
+Signed-off-by; Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -793,7 +793,6 @@ check_roaming:
+ if (roamed_back) {
+ batadv_tt_global_free(bat_priv, tt_global,
+ "Roaming canceled");
+- tt_global = NULL;
+ } else {
+ /* The global entry has to be marked as ROAMING and
+ * has to be kept for consistency purpose
--- /dev/null
+From c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Wed, 19 Jul 2023 09:29:29 +0200
+Subject: batman-adv: Trigger events for auto adjusted MTU
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit c6a953cce8d0438391e6da48c8d0793d3fbfcfa6 upstream.
+
+If an interface changes the MTU, it is expected that an NETDEV_PRECHANGEMTU
+and NETDEV_CHANGEMTU notification events is triggered. This worked fine for
+.ndo_change_mtu based changes because core networking code took care of it.
+But for auto-adjustments after hard-interfaces changes, these events were
+simply missing.
+
+Due to this problem, non-batman-adv components weren't aware of MTU changes
+and thus couldn't perform their own tasks correctly.
+
+Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
+Cc: stable@vger.kernel.org
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/hard-interface.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/batman-adv/hard-interface.c
++++ b/net/batman-adv/hard-interface.c
+@@ -643,7 +643,7 @@ out:
+ */
+ void batadv_update_min_mtu(struct net_device *soft_iface)
+ {
+- soft_iface->mtu = batadv_hardif_min_mtu(soft_iface);
++ dev_set_mtu(soft_iface, batadv_hardif_min_mtu(soft_iface));
+
+ /* Check if the local translate table should be cleaned up to match a
+ * new (and smaller) MTU.
--- /dev/null
+From 382d4cd1847517ffcb1800fd462b625db7b2ebea Mon Sep 17 00:00:00 2001
+From: Helge Deller <deller@gmx.de>
+Date: Fri, 25 Aug 2023 21:50:33 +0200
+Subject: lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels
+
+From: Helge Deller <deller@gmx.de>
+
+commit 382d4cd1847517ffcb1800fd462b625db7b2ebea upstream.
+
+The gcc compiler translates on some architectures the 64-bit
+__builtin_clzll() function to a call to the libgcc function __clzdi2(),
+which should take a 64-bit parameter on 32- and 64-bit platforms.
+
+But in the current kernel code, the built-in __clzdi2() function is
+defined to operate (wrongly) on 32-bit parameters if BITS_PER_LONG ==
+32, thus the return values on 32-bit kernels are in the range from
+[0..31] instead of the expected [0..63] range.
+
+This patch fixes the in-kernel functions __clzdi2() and __ctzdi2() to
+take a 64-bit parameter on 32-bit kernels as well, thus it makes the
+functions identical for 32- and 64-bit kernels.
+
+This bug went unnoticed since kernel 3.11 for over 10 years, and here
+are some possible reasons for that:
+
+ a) Some architectures have assembly instructions to count the bits and
+ which are used instead of calling __clzdi2(), e.g. on x86 the bsr
+ instruction and on ppc cntlz is used. On such architectures the
+ wrong __clzdi2() implementation isn't used and as such the bug has
+ no effect and won't be noticed.
+
+ b) Some architectures link to libgcc.a, and the in-kernel weak
+ functions get replaced by the correct 64-bit variants from libgcc.a.
+
+ c) __builtin_clzll() and __clzdi2() doesn't seem to be used in many
+ places in the kernel, and most likely only in uncritical functions,
+ e.g. when printing hex values via seq_put_hex_ll(). The wrong return
+ value will still print the correct number, but just in a wrong
+ formatting (e.g. with too many leading zeroes).
+
+ d) 32-bit kernels aren't used that much any longer, so they are less
+ tested.
+
+A trivial testcase to verify if the currently running 32-bit kernel is
+affected by the bug is to look at the output of /proc/self/maps:
+
+Here the kernel uses a correct implementation of __clzdi2():
+
+ root@debian:~# cat /proc/self/maps
+ 00010000-00019000 r-xp 00000000 08:05 787324 /usr/bin/cat
+ 00019000-0001a000 rwxp 00009000 08:05 787324 /usr/bin/cat
+ 0001a000-0003b000 rwxp 00000000 00:00 0 [heap]
+ f7551000-f770d000 r-xp 00000000 08:05 794765 /usr/lib/hppa-linux-gnu/libc.so.6
+ ...
+
+and this kernel uses the broken implementation of __clzdi2():
+
+ root@debian:~# cat /proc/self/maps
+ 0000000010000-0000000019000 r-xp 00000000 000000008:000000005 787324 /usr/bin/cat
+ 0000000019000-000000001a000 rwxp 000000009000 000000008:000000005 787324 /usr/bin/cat
+ 000000001a000-000000003b000 rwxp 00000000 00:00 0 [heap]
+ 00000000f73d1000-00000000f758d000 r-xp 00000000 000000008:000000005 794765 /usr/lib/hppa-linux-gnu/libc.so.6
+ ...
+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Fixes: 4df87bb7b6a22 ("lib: add weak clz/ctz functions")
+Cc: Chanho Min <chanho.min@lge.com>
+Cc: Geert Uytterhoeven <geert@linux-m68k.org>
+Cc: stable@vger.kernel.org # v3.11+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/clz_ctz.c | 32 ++++++--------------------------
+ 1 file changed, 6 insertions(+), 26 deletions(-)
+
+--- a/lib/clz_ctz.c
++++ b/lib/clz_ctz.c
+@@ -30,36 +30,16 @@ int __weak __clzsi2(int val)
+ }
+ EXPORT_SYMBOL(__clzsi2);
+
+-int __weak __clzdi2(long val);
+-int __weak __ctzdi2(long val);
+-#if BITS_PER_LONG == 32
+-
+-int __weak __clzdi2(long val)
++int __weak __clzdi2(u64 val);
++int __weak __clzdi2(u64 val)
+ {
+- return 32 - fls((int)val);
++ return 64 - fls64(val);
+ }
+ EXPORT_SYMBOL(__clzdi2);
+
+-int __weak __ctzdi2(long val)
++int __weak __ctzdi2(u64 val);
++int __weak __ctzdi2(u64 val)
+ {
+- return __ffs((u32)val);
++ return __ffs64(val);
+ }
+ EXPORT_SYMBOL(__ctzdi2);
+-
+-#elif BITS_PER_LONG == 64
+-
+-int __weak __clzdi2(long val)
+-{
+- return 64 - fls64((u64)val);
+-}
+-EXPORT_SYMBOL(__clzdi2);
+-
+-int __weak __ctzdi2(long val)
+-{
+- return __ffs64((u64)val);
+-}
+-EXPORT_SYMBOL(__ctzdi2);
+-
+-#else
+-#error BITS_PER_LONG not 32 or 64
+-#endif
--- /dev/null
+From e7f2e65699e2290fd547ec12a17008764e5d9620 Mon Sep 17 00:00:00 2001
+From: Wei Chen <harperchen1110@gmail.com>
+Date: Thu, 10 Aug 2023 08:23:33 +0000
+Subject: media: vcodec: Fix potential array out-of-bounds in encoder queue_setup
+
+From: Wei Chen <harperchen1110@gmail.com>
+
+commit e7f2e65699e2290fd547ec12a17008764e5d9620 upstream.
+
+variable *nplanes is provided by user via system call argument. The
+possible value of q_data->fmt->num_planes is 1-3, while the value
+of *nplanes can be 1-8. The array access by index i can cause array
+out-of-bounds.
+
+Fix this bug by checking *nplanes against the array size.
+
+Fixes: 4e855a6efa54 ("[media] vcodec: mediatek: Add Mediatek V4L2 Video Encoder Driver")
+Signed-off-by: Wei Chen <harperchen1110@gmail.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
++++ b/drivers/media/platform/mtk-vcodec/mtk_vcodec_enc.c
+@@ -766,6 +766,8 @@ static int vb2ops_venc_queue_setup(struc
+ return -EINVAL;
+
+ if (*nplanes) {
++ if (*nplanes != q_data->fmt->num_planes)
++ return -EINVAL;
+ for (i = 0; i < *nplanes; i++)
+ if (sizes[i] < q_data->sizeimage[i])
+ return -EINVAL;
--- /dev/null
+From 3b816601e279756e781e6c4d9b3f3bd21a72ac67 Mon Sep 17 00:00:00 2001
+From: Benjamin Coddington <bcodding@redhat.com>
+Date: Fri, 4 Aug 2023 10:52:20 -0400
+Subject: nfsd: Fix race to FREE_STATEID and cl_revoked
+
+From: Benjamin Coddington <bcodding@redhat.com>
+
+commit 3b816601e279756e781e6c4d9b3f3bd21a72ac67 upstream.
+
+We have some reports of linux NFS clients that cannot satisfy a linux knfsd
+server that always sets SEQ4_STATUS_RECALLABLE_STATE_REVOKED even though
+those clients repeatedly walk all their known state using TEST_STATEID and
+receive NFS4_OK for all.
+
+Its possible for revoke_delegation() to set NFS4_REVOKED_DELEG_STID, then
+nfsd4_free_stateid() finds the delegation and returns NFS4_OK to
+FREE_STATEID. Afterward, revoke_delegation() moves the same delegation to
+cl_revoked. This would produce the observed client/server effect.
+
+Fix this by ensuring that the setting of sc_type to NFS4_REVOKED_DELEG_STID
+and move to cl_revoked happens within the same cl_lock. This will allow
+nfsd4_free_stateid() to properly remove the delegation from cl_revoked.
+
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2217103
+Link: https://bugzilla.redhat.com/show_bug.cgi?id=2176575
+Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
+Cc: stable@vger.kernel.org # v4.17+
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs4state.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs4state.c
++++ b/fs/nfsd/nfs4state.c
+@@ -1019,9 +1019,9 @@ static void revoke_delegation(struct nfs
+ WARN_ON(!list_empty(&dp->dl_recall_lru));
+
+ if (clp->cl_minorversion) {
++ spin_lock(&clp->cl_lock);
+ dp->dl_stid.sc_type = NFS4_REVOKED_DELEG_STID;
+ refcount_inc(&dp->dl_stid.sc_count);
+- spin_lock(&clp->cl_lock);
+ list_add(&dp->dl_recall_lru, &clp->cl_revoked);
+ spin_unlock(&clp->cl_lock);
+ }
ipvs-improve-robustness-to-the-ipvs-sysctl.patch
ipvs-fix-racy-memcpy-in-proc_do_sync_threshold.patch
ibmveth-use-dcbf-rather-than-dcbfl.patch
+nfsd-fix-race-to-free_stateid-and-cl_revoked.patch
+batman-adv-trigger-events-for-auto-adjusted-mtu.patch
+batman-adv-don-t-increase-mtu-when-set-by-user.patch
+batman-adv-do-not-get-eth-header-before-batadv_check_management_packet.patch
+batman-adv-fix-tt-global-entry-leak-when-client-roamed-back.patch
+batman-adv-fix-batadv_v_ogm_aggr_send-memory-leak.patch
+lib-clz_ctz.c-fix-__clzdi2-and-__ctzdi2-for-32-bit-kernels.patch
+media-vcodec-fix-potential-array-out-of-bounds-in-encoder-queue_setup.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
